My Identity Was Stolen. Here’s How They Did It

I recently received a call that I’d hoped would never come. My bank informed me that a thief with knowledge of my social security number, address, birthdate, and mother’s maiden name had succeeded in changing the contact information associated with my credit card. The representative I spoke with told me we were dealing with a professional identity thief and that I should assume all of my personal information had been compromised.

The representative continued, instructing me on what I should do immediately to try to control the damage. I tried taking notes but I was reeling. Life as I knew it, or so I told myself, would never be the same.

Each year 13 million Americans, or 5% of the entire U.S. adult population, are victims of identity theft. Fraudulent transactions, including purchases made on existing credit cards, opening new lines of credit, and wiring money from victims’ bank accounts, cost financial institutions and individuals more than $20 billion each year, according to a recent study by financial analysts at Javelin Strategy & Research. But how are identities stolen, how do banks like mine detect fraudulent use, and what, if anything, can we do to protect ourselves?

A Numbers Game

Try to guess an individual’s social security number and you’ll quickly realize that the nine-digit code provides the apparent anonymity of roughly 1 billion different number combinations. It’s enough to keep a den of thieves guessing from here to eternity, right? Not so says Alessandro Acquisti, professor of information technology and public policy at Carnegie Mellon University.

In 2009, Acquisti showed that, with some basic demographic information and a general understanding of how the federal government assigns social security numbers, miscreants could predict individuals’ numbers with an alarmingly high degree of accuracy.

Combing through millions of publicly available records of deceased individuals’ social security numbers, Acquisti and his colleagues were able to reconstruct how such numbers are assigned. Given an individual’s birthdate and the state they were born in, the researchers could, in some cases, predict the first five digits of an individual’s social security number with more than 90% accuracy.

“Thieves are not going after one identity but thousands or millions of them.”

All of this assumes that a thief knows the date and location of your birth, facts which some of your friends may not even know. But chances are this information is hiding in plain sight. Using a webcam and commercially available image recognition software, Acquisti’s team was able to identify by name 30% of students on a North American college campus simply by taking their picture and matching it to a database of publically available images downloaded from Facebook. In many cases the Facebook accounts provided the dates and locations of students’ births. Using this information, the team could then predict the first five digits of a student’s social security numbers in four attempts with 28% accuracy.

Guessing the remaining four digits is relatively easy. “If you assume a brute force attack where you try combinations of one thousand different social security numbers, then the probability of successfully getting the right number for certain states and years of birth can be disturbingly high,” Acquisti says. “You can start with something as anonymous as a face in a crowd and end up with very sensitive information about that person.”

ID thieves have gone well beyond nabbing old credit cards from your trash.

Acquisti’s research offers a proof of concept, though it’s unclear whether identity thieves actually take such a circuitous route to acquire information. Easier targets are the data centers of financial institutions and credit bureaus that aggregate consumer information.

Last month, online security expert Brian Krebs revealed that an underground identity theft service which illegally sold Social Security numbers had obtained much of its data by conning Experian, one of the three major credit bureaus, into selling it to them. “Secured databases are a much more concentrated target,” says Cormac Herley, a security expert with Microsoft Research. “Thieves are not going after one identity but thousands or millions of them.”

A Call From Somewhere

Once an individual’s identity has been stolen, thieves, as I recently discovered, often target call centers. “There are three ways to rob a bank,” says Vijay Balasubramaniyan, CEO of Pindrop Security. “You can walk in with guns, you can hack into their online systems, or you can call in using a phone. Fraudsters always move to the weakest link, and the phone channel has quickly become the weakest link.”

What makes phones weak, Balasubramaniyan says, is a fraudster’s ability to manipulate individuals on the other end. “A computer is emotionless,” he points out. “It won’t react to you differently based on what you say. But if you have a human on the other end, you can start figuring out what their weaknesses are and start using that to your benefit.”

Balasubramaniyan gives examples of two highly successful types of thieves his company is monitoring. One begins shouting when he doesn’t get the information he wants. He claims to have been a customer for years and threatens to report the representative to his or her supervisor if he or she don’t provide the information he seeks. Another, he says, “kills with kindness,” calling representatives “Sir” or “Madam” and complementing female representatives on the sound of their voice.

In the past, many such attempts were thwarted when the accent of a foreign fraudster gave them away. “What if I’m a Russian hacker and I’ve stolen a US credit card?” asks Daniel Cohen, a cybersecurity strategist with RSA Security LLC. “If I call a call center, they will pick up on my accent.” RSA has seen a growing trend in recent years of underground, online marketplaces that provide identity thieves with “professional callers” who mimic the identity theft victim’s gender, age and accent. “Say I’ve stolen someone’s identity from Mississippi, I could then ask for someone with a southern accent—it’s that developed,” Cohen says.

To prevent such call center fraud, financial institutions rely on something known as knowledge based authentication or KBA. Long the gold standard for call center security, KBA is a series of questions and answers related to things like prior residences and financial information that only the consumer should know.

Depending on how far back the questions go, however, consumers often don’t recall the correct answers. In fact, identity thieves who obtain an individual’s credit information can often answer the questions better than the victim they are impersonating.

Black market sites offer services that help thieves profit from stolen identities, including making calls to banks, stores, and more by people with native accents.

If fraudsters gain access to an individual’s KBA information, as likely occurred in my case, the consequences can be far worse than simply having one’s credit card information or social security number compromised. “It’s pretty much the worst thing that can happen to you from a financial data perspective,” says Avivah Litan an analyst with information technology firm Gartner, Inc.

It’s possible that the thief had obtained my KBA information through a massive breach of KBA data uncovered on September 25 by Krebs, the security expert who revealed the recent breach at Experian. He found that hackers had entered computer servers at LexisNexis, one of the largest providers of KBA information to financial institutions. Hackers placed a “tiny unauthorized program called ‘nbc.exe’ on the company’s servers,” Krebs writes, likely placed there either by exploiting a weakness in the servers’ configuration or through a malicious email. The program was designed to open an encrypted channel of communication between LexisNexis’s internal computers and botnets, private computers infected with malicious software, that were controlled over the internet by the identity thieves. It’s unclear what data the thieves gained from the breach, though they may have acquired the KBA data of millions of Americans. “They have always been compromised,” Litan says of KBA data, “but now they are massively compromised.”

“I have half a dozen apps on my smartphone that can spoof your number.”

To fill the void of compromised KBA data, banks have started to rely on something known as “phoneprinting,” or the ability to verify the origin of a call. Such verification is now needed because the profusion of online and mobile phone technology in recent years has made it increasingly difficult to tell where a call is really coming from. Thieves use this to add another layer of credibility to their fraud, making it seem as though a call was originated from your number even if the caller is halfway around the world.

“I have half a dozen apps on my smartphone that can spoof your number,” Pindrop’s Balasubramaniyan tells me when at a recent conference. To prove it, he opens an app called callerID Faker. Before I know it, the caller ID on my phone tells me I have an incoming call from my own office number.

Balasubramaniyan has these apps on his phone for a good reason—his company offers call centers a way to verify the source of a call. By analyzing different aspects of the sound quality in a call, Pindrop’s software can quickly determine whether the call originates from a cell phone in Cincinnati or from a Skype call in Siberia. “Imagine 15 seconds into a call, your bank gets an alert saying this is not Phil McKenna,” Balasubramaniyan says.

Pindrop’s software analyzes 147 different aspect of sound quality. It then creates a database of unique “phoneprints” for calls made from different locations using different networks and phone types.

A Pindrop analysis of calls in a string of identity theft cases revealed the top 200 numbers connected to the thief's actual phone number (middle).

For example, Voice Over Internet Protocol (VoIP) calls such as those made on Skype contain something known as packet loss, or small breaks in the audio signal as a result of how the digital information is transmitted across these networks. The breaks are only milliseconds long, too short to be detected by a human ear, but contain a wealth of information. “I can look at the length of the break and tell you which company—Skype, Google Voice, or magicJack—the caller is using,” Balasubramaniyan says.

Pindrop can also identify which network a caller is using by the background noise. Prior to the digitization of phone networks, calls made on analog telecommunication systems all broadcast a slight hiss that let you know the line was live on other end. When phone companies moved to digital transmission, there was no ambient noise. To ease the transition for users, companies recreated it, calling it “comfort noise.” “Each network did it in a different way, so it allows us to identify the network by the characteristics of their comfort noise,” Balasubramaniyan says.

The various measures Pindrop uses allows them to correctly identify the provenance of a call, including phone type, network used, and rough geographic location, with over 90% accuracy.

The company recently exposed a fraudster in Eastern Europe who had been using stolen KBA information. Once Pindrop’s software revealed the identity thief wasn’t who he claimed to be, it was obvious he was using stolen information. “When he was asked ‘what is your mother’s maiden name,’ we could actually hear him flipping through his notes,” Balasubramaniyan says.

What Can You Do?

For every breach in security new technologies emerge to try to prevent fraud, technologies that in turn will likely be thwarted at some point in the future. It’s a seemingly endless arms race between financial institutions and identity thieves. Still, I can’t help feeling like the recent theft of my information was somehow my fault.

Not that I hadn’t taken precautions. I was careful with my personal information. I shredded documents and used strong online passwords. I didn’t fall for obvious phishing scams like pleas from wealthy Nigerians seeking to transfer large sums of money. But perhaps I should have changed passwords more frequently, added additional verification measures, or shared less on social media.

Vern Paxson, a computer security expert at the University of California, Berkeley, absolves me of any such guilt. “Not only is there is nothing you did wrong but probably nothing you could have done differently,” he says. The problem, he says, is massive breaches at data centers like the recent ones by Experian and LexisNexis. Professional identity thieves don’t have time to weed through individuals—they’d rather exploit the richest resource, the central databases.

No system is perfectly secure, but there are relatively easy steps that financial institutions could take now that would help prevent such breaches from occurring. Simply requiring organizations to establish security policies on how they safeguard consumer information would go a long way, says David Thaw, a professor at the University of Connecticut School of Law. In a recent study of health care and financial industries, Thaw found that institutions that had such policies were four times better at preventing security breaches than those that didn’t.

“Fraud is as old as our species.”

Acquisti, who showed it is possible to predict social security numbers, suggests we do away with the numbers entirely. The problem, he says, is that they are used for both identification and verification. It’s the equivalent of giving out your phone number to people so they can call you and then using that same number as the pass code for your voicemail. “No sane person would do that,” he says.

Still, Acquisti concedes that gutting social security numbers may be prohibitively expensive. “As a whole, these costs, borne by different parties from identity theft, may be less than changing to an entirely new system,” he says. And even if we did change systems, it’s unlikely that the replacement would succeed in stopping identity theft for very long. “Fraud is as old as our species,” says Bruce Schneier, a security expert at the Berkman Center for Internet and Society at Harvard University. “The crime rate will never be zero in society. The trick is to make it manageable.”

Schneier dismisses the severity of recent data center breaches, saying similar events have occurred on a regular basis for years. The key metric, he says, is how quickly identity theft is identified and corrected after it occurs. “A few years ago it was an absolute disaster,” Schneier says, adding that if my identity had been stolen at that time, I may well have been out $50,000 and spent years restoring my credit. In my case, my credit card company thwarted my identity thieves before they made a single charge.

I did, however, lose several days of my life trying to shore up my compromised identity. After getting off the phone with my credit card company, I alerted the three major credit bureaus of the theft and reviewed my credit report to rule out any further damage. I then called every financial institution that I have an account with to set up a new, unique verbal password that they will ask me each time I call. Two banks required that I visit one of their local branches to set up the password in person. Another institution initially failed to set up my new password correctly. They continued to ask only for my social security number and mother’s maiden name until I escalated my case to a call center supervisor.

After setting up these initial protections, I then submitted an affidavit to the Federal Trade Commission and visited my local police station to fill out a report. The latter allowed me to put a five-year freeze on my credit report with all three credit bureaus. I’ll have to jump through some additional hoops the next time I want a new credit card, but the freeze should make it much harder for a thief to open a new line of credit in my name.

The time that millions of identity theft victims like me spend recovering from such cases each year isn’t insignificant. Microsoft’s Herley estimates that the time US consumers lose each year to simply maintaining existing passwords and other security measures runs in the billions of dollars.

Yet, as inconvenient as it was, Schneier says my experience is, in fact, proof that the system works. “They caught it before anything bad happened. What more do you want?”